Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
FOI Reference: 589/2023
Request:
No. 1 - A copy of your Record of Processing Activities [ROPA] covering all Cloud based services to include the elements listed under S.61 2(a) through 2(j) of the Act.
Since this is a document which the authority must already have in place and maintain under a statutory obligation I do not expect this to be difficult to provide with minimal effort.
Note: I do not require you to provide information falling under S.61 2(k) relating to security controls applied to meet your obligations under S.66 of the Act. this may be redacted from the ROPA.
No. 2 - A copy of applicable Data Protection Impact Assessment(s) conducted under the terms of the Data Protection Act 2018 Part 3 for any of the following Microsoft Cloud based services in use by your organisations:
a) Microsoft 365/M365 (& any component service of it including Teams & Dynamics 365)
b) Microsoft Azure (and its associated hosted services)
Please note:
i) A DPIA should not in general contain any specific information relating to system security measures requiring redaction before release but I am aware that some Policing organisations do include this information in their DPIA products.
ii) Reasonable redaction of such information - strictly and only to the extent necessary to maintain the security of Police operations (if this has been included in the DPIA) - is acceptable, as is removal or personal data where this does not relate to names of individuals in key responsible roles.
iii) General redaction of core information relating to any relevant DPIA content required to evidence your organisations achievement against their statutory obligations would however be unacceptable.
Redactions or refusals on the basis of exemptions under S.24, S.31 and/or S.36 (or their equivalent) shall be robustly challenged, since nothing in a DPIA should feasibly relate to such matters.
No.3 - A copy of the specific contract or terms of service applied for the above services between your organisations (as Controller) and Microsoft (as Processor) as required under S.59 of the Act; or confirmation that the Terms of Service applicable to your use of their services are solely the Microsoft Standard Terms.
Please note:
The Contract/Terms of Service do not need to include any financial information - I am not seeking that, or any other commercially sensitive information, at this time.
Response 1:
I can confirm that there is no information held by Dyfed-Powys Police.
Response 2a:
I can confirm that Dyfed-Powys Police does hold the information requested, as outlined below.
Please see Attachment 1 which is a copy of the Data Protection Impact Assessment for delivery of the National Management Centre and Identity Access Management and Productivity Services Programme DPIA.
Response 2b:
I can confirm that there is no information held by Dyfed-Powys Police due to the fact that we do not have a published/signed off version of the Performance Management Framework DPIA.
Please note: There is a draft version of this DPIA that is being worked upon. As a force we have implemented an Azure Landing Zone which is utilised as a data warehouse – Creation of this platform commenced in March 2023, however work continues to progress to model and import our data, due to the force implementing a new Crime Management System (NICHE), from May 2023.
Response 3:
I can confirm that Dyfed-Powys Police does hold the information requested, as outlined below.
Dyfed-Powys Police are contracted under Microsoft Standard Terms and Conditions.
It should be noted that as a result of the systems adopted by Dyfed-Powys Police in relation to the recording of such information that the information released may or may not be accurate.
(This is a response under the Freedom of Information Act 2000 and disclosed on 12/04/2024)